Overview

overview

10

Static

static

document.07.21.doc

windows7_x64

10

document.07.21.doc

windows10_x64

10

Analysis

  • max time kernel
    680s
  • max time network
    682s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document.07.21.doc

  • Size

    69KB

  • MD5

    8198d8aad8008d4b95402f749845b7a1

  • SHA1

    894b40166b312ba747bd379194e00fbea438168c

  • SHA256

    540f3827790f6809cec591526813a664fa4e428e49271211667940a808e70614

  • SHA512

    0563fa6d5382c917a2bd2e054b25dc3f555866296ab2eeffacfafcff1e93fa6d05af0cba1004759b3a6f469232433647fda8b6e5e11f57131ce8fb1f2cfb048d

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.07.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\programdata\sds.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\sds.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\girlGirlBoys.jpg
          4⤵
            PID:1460
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1656

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\programdata\sds.hta
        MD5

        f8f46135633afaa03568145c8d1316c4

        SHA1

        199c13fc844d44188a8883324c176ce422a97ca6

        SHA256

        83a2b8f097269bd8fb5a70725a3cbfee5308300b197368308e3a5adba849111d

        SHA512

        ee55ca0e35efaa1e5d6168cc0ce9f6d0315eb209eb1733c905cbe7fe98cd8511fa7f00e5155b0960b97c750c580104a11bc3fefc4bd31cfa049710aa604c13d5

        Download Submit
      • \??\c:\users\public\girlGirlBoys.jpg
        MD5

        78e3f08e416740e064779f0301d15085

        SHA1

        06cb8e53e9299f713629316f9dcc2fe4991ad1fd

        SHA256

        eed0186dd421c6ea6e612189b746f38f23545391450227555fa2d56239de1335

        SHA512

        582b765af71ef25c5ccb07a92f45851d8be2248d11dd51e17a643621d7a7903b9ccbc2829d32d082d94bf7c1fd18d5ab46bb02c79d90d7e0a21da44117b5a2bd

        Download Submit
      • memory/784-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1460-71-0x0000000000240000-0x0000000000241000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1656-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1656-73-0x000007FEFC411000-0x000007FEFC413000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1800-64-0x0000000000000000-mapping.dmp
        Download
      • memory/2000-63-0x00000000765F1000-0x00000000765F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2000-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2000-61-0x0000000070A41000-0x0000000070A43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2000-60-0x0000000072FC1000-0x0000000072FC4000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2000-74-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download